image
socialscan offers accurate and fast checks for email address and username usage on online platforms. Given an email address or username, socialscan returns whether it is available, taken or invalid on online platforms. Features that differentiate socialscan from similar tools (e.g. knowem.com, Namechk, and Sherlock): 100% accuracy : socialscan's query method eliminates the false positives and negatives that often occur in similar tools, ensuring that results are always accurate. Speed : socialscan uses asyncio along with aiohttp to conduct all queries concurrently, providing fast searches even with bulk queries involving hundreds of usernames and email addresses. On a test computer with average specs and Internet speed, 100 queries were executed in ~4 seconds. Library / CLI : socialscan can be executed through a CLI, or imported as a Python library to be used with existing code. Email support : socialscan supports queries for both email addresses and usernames. The following platforms are currently supported: | Username | Email —|—|— Instagram | yes | yes Twitter | yes | yes GitHub | yes | yes Tumblr | yes | yes Lastfm | yes | yes Snapchat | yes | GitLab | yes | Reddit | yes | Yahoo | yes | Pinterest | | yes Spotify | | yes Background Other similar tools check username availability by requesting the profile page of the username in question and based on…

Source

image
Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security: Monitoring: Packet capture and export of data to text files for further processing by third party tools. Attacking: Replay attacks, deauthentication, fake access points and others via packet injection. Testing: Checking WiFi cards and driver capabilities (capture and injection). Cracking: WEP and WPA PSK (WPA 1 and 2). All tools are command line which allows for heavy scripting. A lot of GUIs have taken advantage of this feature. It works primarily Linux but also Windows, OS X, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2. It's been more than a year since the last release , and this one brings a ton of improvements. The most noticeable change are the rate display in Airodump-ng. Previously, it went up to 54Mbit. Now, it takes into account the complexity of 802.11n/ac and calculates the maximum rate that can be achieved on the AP. Expect 802.11ax rates in the next release. We brought basic UTF-8 support for ESSID and if you ever come across WPA3 or OWE , this will be displayed correctly as well. Airodump-ng has had the ability to read PCAP files for quite some time, which can be handy to generate one of the CSV/netxml or other output formats available. However, signal levels were not displayed; this has now been fixed. A new option has been added to read the files in realtime, instead of reading all at…

Source

image
Memhunter is an endpoint sensor tool that is specialized in detecing resident malware, improving the threat hunter analysis process and remediation times. The tool detects and reports memory-resident malware living on endpoint processes. Memhunter detects known malicious memory injection techniques. The detection process is performed through live analysis and without needing memory dumps. The tool was designed as a replacement of memory forensic volatility plugins such as malfind and hollowfind. The idea of not requiring memory dumps helps on performing the memory resident malware threat hunting at scale, without manual analysis, and without the complex infrastructure needed to move dumps to forensic environments. The detection process is performed through a combination of endpoint data collection and memory inspection scanners. The tool is a standalone binary that, upon execution, deploys itself as a windows service. Once running as a service, memhunter starts the collection of ETW events that might indicate code injection attacks. The live stream of collected data events is feed into memory inspection scanners that use detection heuristics to down select the potential attacks. The entire detection process does not require human intervention, neither memory dumps, and it can be performed by the tool itself at scale. Besides the data collection and hunting heuristics, the project has also led to the creation of a companion tool called "minjector" that contains +15…

Source

image
Technically, AgentSmith-HIDS is not a Host-based Intrusion Detection System (HIDS) due to lack of rule engine and detection function. However, it can be used as a high performance ‘Host Information Collect Agent' as part of your own HIDS solution. The comprehensiveness of information which can be collected by this agent was one of the most important metrics during developing this project, hence it was built to function in the kernel stack and achieve huge advantage comparing to those function in user stack, such as: Better performance , Information needed are collected in kernel stack to avoid additional supplement actions such as traversal of ‘/proc'; and to enhance the performance of data transportation, data collected is transferred via shared ram instead of netlink. Hard to be bypassed , Information collection was powered by specifically designed kernel drive, makes it almost impossible to bypass the detection for malicious software like rootkit, which can deliberately hide themselves. Easy to be integrated ,The AgentSmith-HIDS was built to integrate with other applications and can be used not only as security tool but also a good monitoring tool, or even a good detector of your assets. The agent is capable of collecting the users, files, processes and internet connections for you, so let's imagine when you integrate it with CMDB, you could get a comprehensive map consists of your network, host, container and business (even dependencies). What if you…

Source

image
Simple TCP reverse shell written in Go . It uses TLS to secure the communications, and provide a certificate public key fingerprint pinning feature, preventing from traffic interception. Supported OS are: Windows Linux Mac OS FreeBSD and derivatives Why ? Although meterpreter payloads are great, they are sometimes spotted by AV products. The goal of this project is to get a simple reverse shell, which can work on multiple systems. How ? Since it's written in Go, you can cross compile the source for the desired architecture. Getting started & dependencies As this is a Go project, you will need to follow the official documentation to set up your Golang environment (with the $GOPATH environment variable). Then, just run go get github.com/lesnuages/hershell to fetch the project. Building the payload To simplify things, you can use the provided Makefile. You can set the following environment variables: GOOS : the target OS GOARCH : the target architecture LHOST : the attacker IP or domain name LPORT : the listener port For the GOOS and GOARCH variables, you can get the allowed values here . However, some helper targets are available in the Makefile : depends : generate the server certificate (required for the reverse shell) windows32 : builds a windows 32 bits executable (PE 32 bits) windows64 : builds a windows 64 bits executable (PE 64 bits) linux32 : builds a linux 32 bits executable (ELF 32 bits) linux64 :…

Source

image
Check-LocalAdminHash is a PowerShell tool that attempts to authenticate to multiple hosts over either WMI or SMB using a password hash to determine if the provided credential is a local administrator. It's useful if you obtain a password hash for a user and want to see where they are local admin on a network. It is essentially a Frankenstein of two of my favorite tools along with some of my own code. It utilizes Kevin Robertson's (@kevin_robertson) Invoke-TheHash project for the credential checking portion. Additionally, the script utilizes modules from PowerView by Will Schroeder (@harmj0y) and Matt Graeber (@mattifestation) to enumerate domain computers to find targets for testing adm in access against. The reason this script even exists is because on an assessment I wanted to gather all the PowerShell console history files (PSReadline) from every system on the network. The PSReadline console history is essentially the PowerShell version of bash history. It can include so many interesting things that people type into their terminals including passwords. So, included in this script is an option to exfiltrate all the PSReadline files as well. There is a bit of setup for this. See the end of the Readme for setup. For more info read the blog here: https://www.blackhillsinfosec.com/check-localadminhash-exfiltrating-all-powershell-history/ Examples Checking Local Admin Hash Against All Hosts Over WMI This command will use the domain…

Source

image
C# utility that uses WMI to run "cmd.exe /c netstat -n", save the output to a file, then use SMB to read and delete the file remotely Description This script will attempt to connect to all the supplied computers and use WMI to execute cmd.exe /c netstat -n > <file> . The file the output is saved to is specified by ‘-file'. Once the netstat command is running, the output is read via remote SMB call and then deleted. While this isn't the stealthiest of scripts (because of the cmd.exe execution and saving to a file), sometimes you gotta do what you gotta do. An alternative would be to use WMI to remotely query netstat information, but that WMI class is only available on Win10+ systems, which isn't ideal. This solution at least works for all levels of operating systems. Usage Mandatory Options: -file = This is the file that the output will be saved in temporarily before being remotely read/deleted Optional Options: -computers = A list of systems to run this against, separated by commas [or] -dc = A domain controller to get a list of domain computers from -domain = The domain to get a list of domain computers from Examples SharpStat.exe -file "C:UsersPublictest.txt" -domain lab.raikia.com -dc lab.raikia.com SharpStat.exe -file "C:UsersPublictest.txt" -computers "wkstn7.lab.raikia.com,wkstn10.lab.raikia.com" Contact If you have questions or issues, hit…

Source

image
I always had an interest in reverse engineering. A few days ago I wanted to look at some game internals for fun, but it was packed & protected by EAC (EasyAntiCheat). This means its handle were stripped and I was unable to dump the process from Ring3. I decided to try to make a custom driver that would allow me to copy the process memory without using OpenProcess. I knew nothing about Windows kernel, PE file structure, so I spent a lot of time reading articles and forums to make this project. Features Dump any process main module using a kernel driver (both x86 and x64) Rebuild PE32/PE64 header and sections Works on protected system processes & processes with stripped handles (anti-cheats) Note : Import table isn't rebuilt. Usage Before using KsDumperClient, the KsDumper driver needs to be loaded. It is unsigned so you need to load it however you want. I'm using drvmap for Win10. Everything is provided in this release if you want to use it aswell. Run Driver/LoadCapcom.bat as Admin. Don't press any key or close the window yet ! Run Driver/LoadUnsignedDriver.bat as Admin. Press enter in the LoadCapcom cmd to unload the driver. Run KsDumperClient.exe . Profit ! Note : The driver stays loaded until you reboot, so if you close KsDumperClient.exe, you can just reopen it ! Note2 : Even though it can dump both x86 & x64 processes, this has to run on x64 Windows. References https://github.com/not-wlan/drvmap …

Source

image
SAFE is a tool developed to create Binary Functions Embedding developed by Massarelli L., Di Luna G.A., Petroni F., Querzoni L. and Baldoni R. You can use SAFE to create your function embedding to use inside yara rules. If you are interested take a look at our research paper: https://arxiv.org/abs/1811.05296 If you are using this for your research please cite: @inproceedings{massarelli2018safe, title={SAFE: Self-Attentive Function Embeddings for Binary Similarity}, author={Massarelli, Luca and Di Luna, Giuseppe Antonio and Petroni, Fabio and Querzoni, Leonardo and Baldoni, Roberto}, booktitle={Proceedings of 16th Conference on Detection of Intrusions and Malware & [Vulnerability Assessment](<https://www.kitploit.com/search/label/Vulnerability%20Assessment> "Vulnerability Assessment" ) (DIMVA)}, year={2019} } This is not the code for reproducing the experiments in the paper. If you are interested on it take a look at: https://github.com/gadiluna/SAFE Introduction Using yarasafe you can easily create signature for binary functions without lookng at the assembly code at all! You just need to install the IDA Pro Plugins that you find the IDA Pro Plugin folder of this repository. Once you have installed the plugin you can start creating embeddings for the function you want to match. These embeddings can be inserted into yara rules to match function using yara. To create powerful rule, you can combine multiple functions embeddings with standard yara…

Source

image
AlertResponder is a serverless framework for automatic response of security alert. Overview AlertResponder receives an alert that is event of interest from security view point and responses the alert automatically. AlertResponder has 3 parts of automatic response. Inspector investigates entities that are appeaered in the alert including IP address, Domain name and store a result: reputation, history of malicious activities, associated cloud instance and etc. Following components are already provided to integrate with your AlertResponder environment. Also you can create own inspector to check logs that is stored into original log storage or log search system. VirusTotalInspector Reviewer receives the alert with result(s) of Inspector and evaluate severity of the alert. Reviewer should be written by each security operator/administrator of your organization because security policies are differ from organazation to organization. Emitter finally receives the alert with result of Reviewer's severity evaluation. After that, Emitter sends external integrated system. E.g. PagerDuty, Slack, Github Enterprise, etc. Also automatic quarantine can be configured by AWS Lambda function. GheReporter Concept Pull based correlation analysis Alert aggregation Pluggable Inspectors and Emitters Getting Started Please replace follwoing variables according to your environment: $REGION : Replace it with your AWS region. (e.g….

Source